本文出处亮神专辑,纯粹是整理下自己方便。

一.基于icmp发现内网存活主机
1、nmap
nmap ‐sP ‐PI 192.168.1.0/24 ‐T4
nmap ‐sn ‐PE ‐T4 192.168.1.0/24
2、cmd下扫描
for /l %i in (1,1,255) do @ ping 10.0.0.%i -w 1 -n 1|find /i “ttl=”
3、powershell

powershell.exe ‐exec bypass ‐Command "Import‐Module ./Invoke‐TSPingSweep.ps1; Invoke‐TSPingSweep ‐StartAddress 192.168.1.1 ‐EndAddress 192.168.1.254 ‐Resolv eHost ‐ScanPort ‐Port 445,135"

4、tcping.exe ‐n 1 192.168.1.0 80

二.基于UDP发现内网存活主机
1、nmap -sU -T5 -sV –max-retries 1 192.168.1.100 -p 500 #慢的令人发指
2、msf模块

use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/udp_sweep

3、unicornscan
unicornscan -mU 192.168.1.100
4、ScanLine
5、在线地址
https://pentest-tools.com/network-vulnerabilityscanning/udp-port-scanner-online-nmap

三.基于ARP发现内网存活主机
1、nmap -sn -PR 192.168.1.1/24
2、msf模块
use auxiliary/scanner/discovery/arp_sweep
3、netdiscover
netdiscover -r 192.168.1.0/24 -i wlan0
4、arp-scan
项目地址:https://linux.die.net/man/1/arp-scan
5、powershell
powershell.exe -exec bypass -Command “Import-Module .\arpscan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24”
6、arp scannet
项目地址:https://sourceforge.net/projects/arpscannet/files/arpscannet/arpscannet%200.4/
7、arp-scan(windows)
(推荐)速度与快捷
arp-scan.exe -t 192.168.1.1/24
项目地址:https://github.com/QbsuranAlang/arp-scan-windows-/tree/master/arp- scan(非官方)
8.arp-ping.exe
arp-ping.exe 192.168.1.100

四.基于netbios发现内网存活主机
1、nmap -sU –script nbstat.nse -p137 192.168.1.0/24 -T4
2、msf模块
use auxiliary/scanner/netbios/nbname
3、nbtscan扫描
项目地址:http://www.unixwiz.net/tools/nbtscan.html
nbtscan-1.0.35.exe -m 192.168.1.0/24
nbtstat -n (推荐)
linux需自行安装
4、NetBScanner
项目地址:https://www.nirsoft.net/utils/netbios_scanner.html

五.基于snmp发现内网存活主机
1、nmap -sU –script snmp-brute 192.168.1.0/24 -T4
2、msf模块
use auxiliary/scanner/snmp/snmp_enum
3、snscan
迈克菲出品
4、NetCrunch
项目地址:https://www.adremsoft.com/demo/
5、snmp for pl扫描
项目地址:https://github.com/dheiland-r7/snmp
6、snmpbulkwalk
7、snmp-check
8、snmptest
附录:

msf模块:
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumuse auxiliary/scanner/snmp/arris_dg950
use auxiliary/scanner/snmp/snmp_enum_hp_laserjet
use auxiliary/scanner/snmp/brocade_enumhash
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cambium_snmp_loot
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_set
use auxiliary/scanner/snmp/netopia_enum
use auxiliary/scanner/snmp/ubee_ddw3611
use auxiliary/scanner/snmp/sbg6580_enum
use auxiliary/scanner/snmp/xerox_workcentre_enumusers

其他内网安全审计工具(snmp):
项目地址:https://www.solarwinds.com/topics/snmp-scanner
项目地址:https://www.netscantools.com/nstpro_snmp.html

六.基于smb发现内网存活主机
1、msf模块
scanner/smb/smb_version
2、cme
cme smb 192.168.1.0/24
3、nmap
nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.1.119
4、cmd下扫描
for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445
5、powershell
单ip:

445 | %{ echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.119",$_)) "$_ is open"} 2>$null

多ip:

1..5 | % { $a = $_; 445 | % {echo ((new‐objectNet.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"}2>$null}

多port,多ip:

118..119 | % { $a = $_; write‐host "‐‐‐‐‐‐"; write‐host"192.168.1.$a"; 80,445 | % {echo ((new‐object Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"} 2>$null}
Categories: Web安全

1 Comment

ifish · 2019年7月24日 at 下午5:01

ifish 前来膜拜dalao。

发表评论

电子邮件地址不会被公开。 必填项已用*标注